Health data breaches in March surpassed January and February combined, study finds

Security incidents spiked upward during March, according to the Protenus Breach Barometer, a monthly snapshot of reported or disclosed breaches impacting the healthcare industry, with data compiled and provided by DataBreaches.net.

The number of patient records breached also rose, with almost 700,000 in one single incident, the report said.

March, in fact, had more than 2.5 times the number of breached records in January and February combined. There were 39 breach incidents in March, affecting 1,519,521 patient records. Information was available for 35 of those incidents.

The largest single incident involved 697,800 patient records and was reported to HHS as “theft-other,” the Breach Barometer found.

The insider threat at healthcare organizations continues to be a major cybersecurity problem. Insiders were responsible for 44 percent of March’s total breach incidents (17 incidents), affecting 179,381 patient records, the Breach Barometer found. Ten of the reported insider incidents were the result of insider error. For the insider error incidents for which there are numbers, 14,219 patient records were affected. Seven of the reported incidents were the result of insider wrongdoing. There are numbers for five of these incidents, which affected 165,162 patient records, according to the barometer.

Hacking accounted for a noteworthy percentage of records and incidents (11 incidents accounted for 28 percent of total incidents), the Breach Barometer found. Hacking incidents reported in March affected 600,270 patient records.

Of the 39 health data breach incidents in March, 33 (84.6 percent) were reported by healthcare providers, four by health plans, one by a business associate or third party, and one was disclosed in a media report but has not been confirmed by the organization, Protenus found.

Third-party breaches represented a significant portion of total breached patient records during the first two months of 2017: 82 percent in January and 21 percent in February, according to the Breach Barometer. However, in March third parties were only responsible for 3 percent (one incident) of total breached patient records. There could have been more incidents with third parties, but there was not enough information for a number of incidents to make that determination, Protenus said.

The 39 health data breaches in March occurred in 20 states, the Breach Barometer found. Texas had six incidents; Tennessee, Pennsylvania, Kentucky, California and Missouri each had three incidents, according to the Breach Barometer .